topic Re: Simple search dashboard element in Splunk Search

Simple search dashboard element

maradibs — Mon, 28 Sep 2020 17:27:34 GMT

We have just started using splunk with real data in my organisation, and to a start we're only using it to show and compare events from different types of logs

I'm looking for a way to have some form boxes in a dashboard, so my users just can input a value, and then this value is added to a already defined searchstring in the normal search window

Like i have a predefined search like sourcetype="platform_jboss_log" index="index1" "string"
So when inputting a value it would switch to a search window with the value defined and search is started

I have browsed around here, and in the 6.x dashboard examples not finding anything really useful. - Is this so much out of splunk usecase?

I just wan't to give my users a easy way to search for the stuff they need without they need to prefix their searches manually with sourcetype etc.

Thanks
Mads

Re: Simple search dashboard element

aholzer — Tue, 02 Sep 2014 13:32:46 GMT

You can find basic form examples here.

The key words you are looking for are:

token: the name for the variable that the user can input
searchTemplate: the search with the user input
fieldset: the list of inputs available to the user

You need to define a text input (lets call the token "str"). You then need to incorporate the token "str" into your search string. Your searchTemplate will look something like this:

sourcetype="platform_jboss_log" index="index1" "$str$"

Note that I have put $ around the token, this is what allows Splunk to understand that it's a variable rather than a string.

Hope this helps

Re: Simple search dashboard element

maradibs — Tue, 02 Sep 2014 14:47:48 GMT

Thanks for the answer

It's a bit like what i'm seeking, or not

I want it to make the search in the normal search app when pressing submit, so you can use the facilities that has. - What i see from the form examples it looks a bit.. restricted

Re: Simple search dashboard element

aholzer — Mon, 28 Sep 2020 17:27:39 GMT

Not sure I'm understanding then. You could always set up a Splunk role, and as part of the role define a filter as [sourcetype="platform_jboss_log" index="index1"]. By doing this, it will apply that filter to every search the users with that role have. You'd simply have to set all users to have that new role.

Hope this helps

Re: Simple search dashboard element

maradibs — Wed, 03 Sep 2014 11:06:14 GMT

I have a long list of sourcetypes which different logfiles in our systems has defined.

(40-50 servers in a cluster with the same kind of logfiles, splunk is used as a centralized way to search in them)

Right now my users has to define sourcetype="blabla" in their search query for everytime they want to search in the a specific logfile.

I just want to give my users an easy entrypoint for searching in the different types of logs we have.

Re: Simple search dashboard element

aholzer — Wed, 03 Sep 2014 13:11:59 GMT

If you look at the link I provided in my answer you'll notice that the second example has a dropdown of sourcetypes. I feel like that's exactly what you are looking for.

Give them the dropdown of sourcetypes as the second example in the link (I suggest you do it dynamically) and a text input as the first example in the link show.

Hope this helps

Re: Simple search dashboard element

aweitzman — Wed, 03 Sep 2014 14:38:53 GMT

It seems like your issue is you want the raw output, rather than the table- or chart-style output from @aholzer's great suggestions. If so, use <event> instead of <table>. Assuming you have a dropdown that produces a srcType value and a text input for your str value, you should be able to do something like this:

<row> <event> <searchString>sourcetype="$srcType$" index="index1" "$str$"</searchString> </event> </row>

Check out http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#event for your other options for this tag.